---
title: "TLS between Gremlin and AGS"
description: "Set up TLS encryption for network traffic between Gremlin clients and Aerospike Graph Service (AGS)."
---

# TLS between Gremlin and AGS

> For the complete documentation index see: [llms.txt](https://aerospike.com/docs/llms.txt)
> 
> All documentation pages available in markdown.

## Overview

This page describes how to set up Transport Layer Security (TLS) for Aerospike Graph Service (AGS) to encrypt network traffic from Gremlin client applications.

### Prerequisites

-   TLS certificate files:
    -   Verify that the required TLS certificate file (PEM-encoded X.509 format) is in the local filesystem.
-   The matching private key to the certificate.
-   A PEM-encoded X.509 Certificate Authority (CA) (optional).

## Set up Gremlin with AGS

1.  Configure AGS.
    
    In your [AGS properties file](https://aerospike.com/docs/graph/3.1.0/install/docker/#use-a-properties-file), set the following option:
    
    ```txt
    aerospike.graph-service.ssl.enabled=true
    ```
    
2.  Prepare TLS certificates directory.
    
    Create a local directory for storing your TLS certificate files. For example, `/home/graph-user/graph/gremlin-server-tls`.
    
3.  Bind TLS files to a Docker filesystem directory.
    
    The [AGS Docker image](https://aerospike.com/docs/graph/3.1.0/install/docker) must have access to the TLS files. When starting the Docker image, use the `-v` flag to create a volume bind which binds a local directory containing the TLS files to the Docker image directory `/opt/aerospike-graph/gremlin-server-tls`. If the certificate is signed by a Certificate Authority, bind that separately to the Docker image directory `/opt/aerospike-graph/gremlin-server-ca`.
    

### Filesystem requirements

In the Docker image filesystem, `/opt/aerospike-graph/gremlin-server-tls` must only contain two files, the certificate and private key. Similarly, `/opt/aerospike-graph/gremlin-server-ca` must only contain one file, the certificate authority file. AGS will fail to launch if incompatible files are found in those directories, or if the number of files is incorrect.

In the following example, the following TLS files are located in the local filesystem:

-   Certificate: `/home/graph-user/gremlin-server-tls/myCertificate.crt`
    
-   Private Key: `/home/graph-user/gremlin-server-tls/myCertificateKey.key`
    
-   Certificate Authority (CA): `/home/graph-user/ca/ca.crt`
    

To set up TLS with a CA, start Docker with the following command:

```txt
docker run -p 8182:8182 \

-v /home/graph-user/graph/conf/aerospike-graph.properties:/opt/aerospike-graph/aerospike-graph.properties \

-v /home/graph-user/tls:/opt/aerospike-graph/gremlin-server-tls \

-v /home/graph-user/ca:/opt/aerospike-graph/gremlin-server-ca \

aerospike/aerospike-graph-service
```

To set up TLS without a CA, start Docker with the following command:

```txt
docker run -p 8182:8182 \

-v /home/graph-user/graph/conf/aerospike-graph.properties:/opt/aerospike-graph/aerospike-graph.properties \

-v /home/graph-user/tls:/opt/aerospike-graph/gremlin-server-tls \

aerospike/aerospike-graph-service
```

If AGS encounters any problems with the TLS setup, the image startup fails with an error. If the images starts up without errors, the TLS connection is successful.